What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol designed to protect your business domain from BEC attacks, phishing, spoofing, and impersonation. The ultimate goal is to implement a p=reject policy.

The Basics: DMARC, SPF, and DKIM

DMARC builds on two existing email authentication mechanisms:

SPF (Sender Policy Framework): Ensures an email is sent from an authorized server.
DKIM (DomainKeys Identified Mail): Adds a digital signature to emails to verify they haven't been tampered with.

DMARC uses SPF and DKIM results to instruct receiving servers on how to handle emails that fail authentication.

DMARC Policy Settings

None (`p=none`)

Monitoring only -- no protection is applied. Use this policy when first implementing DMARC to gather data about who is sending email on behalf of your domain.

Quarantine (`p=quarantine`)

Failed emails are sent to the spam folder. Use the pct tag for gradual rollout (e.g., start at 10% and increase over time).

Reject (`p=reject`)

Fully blocks emails that fail DMARC checks. Only apply this policy after all legitimate senders have been authenticated.

Example DMARC Records

Policy = none, no monitoring:

v=DMARC1; p=none;

Policy = none, monitored by Palisade:

v=DMARC1; p=none; pct=100; rua=mailto:a1b2c3d4e5@reports.palisade.email; fo=1; aspf=r; adkim=r; ri=86400;

Policy = quarantine:

v=DMARC1; p=quarantine; pct=100; rua=mailto:a1b2c3d4e5@reports.palisade.email; fo=1; aspf=r; adkim=r; ri=86400;

Policy = reject (30% enforcement):

v=DMARC1; p=reject; pct=30; rua=mailto:a1b2c3d4e5@reports.palisade.email; fo=1; aspf=r; adkim=r; ri=86400;

Policy = reject (full enforcement):

v=DMARC1; p=reject; pct=100; rua=mailto:a1b2c3d4e5@reports.palisade.email; fo=1; aspf=r; adkim=r; ri=86400;

Why Doesn't Palisade Apply `ruf`?

info

ruf (forensics reports) are increasingly deprecated. Most inbox providers have stopped sending them because they can include personally identifiable information (PII). Palisade values privacy, so ruf is not supported.

Implementing DMARC: Step by Step

1. Monitoring and Alignment

Start with p=none to monitor email traffic and identify all legitimate sending sources. Use Palisade to review DMARC reports and fix SPF/DKIM alignment issues.

2. Move to Quarantine

Once your senders are aligned, gradually enforce p=quarantine using the pct tag. This lets you catch issues before full enforcement.

3. Enforce Rejection

After confirming all legitimate email is passing DMARC checks, move to p=reject to fully block unauthorized senders.

Key Takeaways

DMARC ensures email security by building on SPF and DKIM to prevent domain abuse.
Take it step by step -- move from monitoring to quarantine to reject gradually.
Monitor with Palisade to automate the process and stay on top of compliance.

The Basics: DMARC, SPF, and DKIM​

DMARC Policy Settings​

None (p=none)​

Quarantine (p=quarantine)​

Reject (p=reject)​

Example DMARC Records​

Why Doesn't Palisade Apply ruf?​

Implementing DMARC: Step by Step​

1. Monitoring and Alignment​

2. Move to Quarantine​

3. Enforce Rejection​

Key Takeaways​